From employee protection to consumer safety, risk management is a central daily duty of corporate management and has become top of the oversight agenda for corporate boards. While managers remain in charge of day-to-day risk management, the board’s oversight role has expanded so much that directors benefit from thinking broadly and deeply about how they can add value.
To start, prioritization of risk management is due to the acceleration and proliferation of risks, reinforced by widespread demands that corporations anticipate and mitigate them, and enabled by well-developed guides to enterprise risk management.
Contemporary accelerants of risk proliferation include artificial intelligence, cyber and ransomware attacks, data breaches, geopolitical upheaval, global pandemics and natural disasters, severe supply chain disruption, the emergence of ESG and the backlash against it, the rise of stakeholder activism, economic uncertainty and labor unrest, the spread and persistence of disinformation, and the participation of various social media platforms.
Constituents urging corporations to take responsibility to combat such risks include activist organizations, asset managers, business partners, customers, employees, federal lawmakers, insurers, investors, media, plaintiffs’ lawyers, proxy advisors, securities regulators, standard setters, state courts, stock exchanges, and university professors.
The burgeoning guidance on enterprise risk management includes publications by the Committee of Sponsoring Organizations of the Treadway Commission (COSO); the Conference Board; the Institute of Internal Auditors (Three Lines Model); the International Organization for Standardization (ISO 31000); and the National Association of Corporate Directors (NACD).
The result is a “new normal” where constituents seek not only skilled crisis response when risks are realized, but corporate leaders who are predictive, preventative, and proactive. The question for directors, as risk management overseers, is how to help a company adapt and thrive in the new normal, with dynamic challenges and threats, while keeping intact a company’s brand, culture, finances, goodwill, operations, rational risk-taking and reputation.
Stepping back, appreciate that all companies are vulnerable to crisis-level events, which can present suddenly, with or without warning, on multiple fronts, often simultaneously. Key facts may be uncertain, unknown, and rapidly evolving. Pressures are often compounded by the potential loss of control, and the risk of financial, operational, and reputational harm.
Besides the fallout from the event itself, all related board and management decisions—before, during and after the event—will be scrutinized by those inside and outside the company from employees and shareholders, to customers and competitors, to journalists and regulators.
To reduce the probability of such events and their magnitude if they do occur, the new normal requires a “whole company” response, with directors and top executives setting a tone at the top of building a culture of risk avoidance and institutional resilience. A broad framework of overall enterprise threat management entails optimizing crisis preparedness and mitigation—consistent with a company’s culture, organizational structure, priorities, resources, and risk appetite.
Directors should appreciate that effective risk management requires advanced, holistic, innovative, strategic, and thoughtful preparation. It requires a multidisciplinary approach, in which boards collectively possess a broad range of knowledge, encompassing demographics, economics, geography, history, politics, psychology, regulation, and technology—all set against inherent unknowns and rapidly unfolding or escalating events, and unavoidable second-guessing.
Daunting as all that can seem, reducing the risk of crisis-level events benefits from learning the cumulative lessons of the many previous corporate crises others have faced. Directors benefit from learning event histories that help contextualize and visualize the likelihood and scope of potential threats. Doing so helps generate options for evidence-based decision-making, the key to weathering any threat scenario.
Essential lessons are best learned from experience across multiple industries—forecasting potential threats and taking timely corrective action when necessary. The mission is to generate actionable information for decision-makers, and to help build a corporate “early warning system,” so that potential threats can be ascertained, evaluated, and mitigated economically, efficiently, and promptly.
For one, experience has shown that managing risk requires breaking down “information silos” by creating incentives that encourage candid communication and transparency. In highly decentralized organizations where autonomy is valued, divisional managers must be encouraged to share vulnerabilities with headquarters so that its leadership would become aware of any concentrations of issues that together would create unacceptable risks.
Information must reach decision-makers in time to take necessary action. That means developing customized templates that describe the type of information that needs to be passed on and to whom and how the information is to be escalated and processed—an effort that may have to withstand the rigor and scrutiny of cross examination in courts, shareholder review, and second-guessing by regulatory or legislative bodies.
Conferring with experts from specific business units, supplemented by external experts, as needed, can be invaluable in formulating viable strategic options for the company. Through trend analysis, scenario planning and stress testing, collaborate with these experts to visualize near-, mid- and long-term risks and build up the company’s resilience to them.
Despite learning such lessons from prior instances, it’s also critical to simultaneously appreciate that each crisis is unique and likely complex. Today’s corporate crises frequently involve legal issues that span traditionally discrete areas such as consumer protection, corporate governance, corporate restructuring, employee relations, governmental investigations, securities regulations and white-collar crime. A fully integrated, multidisciplinary, and well-prepared approach is key. No two crises present the same challenges, and having a customized, comprehensive strategy in place in advance for managing such events will increase the likelihood that a company will weather the storm.
Moreover, enterprise risk is not a “one-size-fits-all” proposition. Each company must tailor its risk management program to its specific needs. Draw on experience conducting internal investigations, counseling corporate leaders, and shaping public policy to create and implement a risk management program customized for each company’s particular threat profile and related compliance requirements, corporate culture, industry standards, as well as available staffing, training, and other resources. The net effect of such an approach is to reduce ad hoc, compartmentalized efforts and develop a plan that is coherent, holistic, and unified—by design and not by default.
Put differently, each company will benefit from a combination of general frameworks, such as that published by COSO, along with specific lessons from experience that can be tailored to fit the company’s unique circumstances and needs.
|General COSO Framework
|Specific Lessons from Experience
This post comes to us from Mayer Brown. It is based on the firm’s memorandum, “Corporate Governance and Risk Management Experience.”